Pagoda Blog

Hackers Moving from Underground to Mainstream Sites

May 7, 2013

By Tracy Kitten, April 26, 2013. Follow Tracy @FraudBlogger

Within the last week, researchers at security vendor RSA stumbled upon a Facebook page called Casper Spy Botnet that hackers and malware developers were using to promote and sell the legacy banking Trojan Zeus.

The page has since been deactivated, says RSA's Limor Kessem, a top cyber-intelligence expert within The Security Division of EMC. But it's likely it was available for several months. And it signifies a concerning trend, she says in an interview with BankInfoSecurity.

"This just brings Trojans to the awareness of those who would not otherwise be selling Trojans or using them," Kessem says. "It was just interesting to see Trojans being sold on a popular site, like Facebook. It proves the sale of Trojans has moved from the underground."

Marketing ZeusIn a blog posted April 24, Kessem notes that the page was being used to openly sell and market the toolkit for Zeus version 1, as well as stolen credit card numbers. The page also offered tips about how to commit card fraud, suggesting so-called "fraud-as-a-service" is moving into the mainstream, she contends.

"Fraud-as-a-service mostly remained hidden in the deep enclaves of dark online markets, only advertised to those who were in the know, sought in the right place, or knew the right people," Kessem writes. "But that's all a thing of the past, it seems. Social networks are such a great place for malware infections and phishing, why not just market the botnet directly from there?"

Financial fraud expert Avivah Litan, an analyst for the consultancy Gartner Inc., says cybercriminals, through the promotion of malware and other malicious schemes on social networks such as Facebook, are indirectly encouraging open-source Trojan development.

"Jobless, creative hackers are likely to improve on the malware code and then sell it back to the cybercriminal organizers or their network members for a fee," she says. "This will definitely foster competition in the underworld - and is doing so in a very open, public way. I've never seen anything like this, but it stands to reason that it would happen, given how easy it is for these criminals to get away with these activities."

A Warning to BanksZeus v1, which was released in 2007, is not the most advanced Trojan on the market, Kessem says. But it's still effective at compromising online-banking account logins and passwords, she adds.

"Banks need to know that it's easier for these Trojans to spread," Kessem says. "It's too easy for anyone to get their hands on now; it's too widespread. And I think it just speaks to how available these Trojans are today."

And while Kessem does not recommend any new preventive measures banking institutions should be taking, she says the advent of public promotion of Trojans suggests more attacks will be waged from more, and previously unlikely, sources.

"There's not much banks can do to prevent these attacks, since this is an active Trojan [Zeus] that's been in the wild for six years," she says. "But this shows how quickly cybercrime is spreading."

These types of public forums also allow cybercriminals and would-be criminals the ability to readily join the conversation, Kessem says. Beyond the sale of Zeus, the page was being used to market other crimes, such as credit card fraud, she says.

"This was like a how-to page on Facebook," Kessem says. "The developer was using it to sell Zeus and another guy, the one maintaining the page, was talking about selling credit-card numbers and committing fraud. They feel they can do this openly because law enforcement in their country probably does not care."

Kessem says she believes the developer selling the Zeus kit and the creator of the Facebook page are based in Malaysia. Facebook has a policy for reporting abuse, which is how RSA was able to request that the page be removed.

The advent of this type of open malware promotion proves more cross-border collaboration among law enforcement, especially in countries where hacking laws are lax, is needed, Kessem adds.

"Marketing cybercrime in such an open and accessible manner is not something common," Kessem notes in her blog. "Cybercriminals usually fear for their freedom and will not expose their endeavors online to potential undercover cyber-police officers and security research. Those who would take such a chance, in favor of selling their wares to a larger audience, do so because they trust the anti-digital crime laws in their counties are more forgiving or downright absent."